Update: The Sequential-context attack vector Hypervisor-Specific Mitigations described in VMSA-2018-0020, are cumulative and will also mitigate the issues described in VMSA-2018-0002.

The purpose of this article is to describe the security issues related to speculative execution in modern-day processors as they apply
to VMware and then highlight VMware’s response.

For VMware, the mitigations fall into 3 different categories:

• Hypervisor-Specific Mitigation
• Hypervisor-Assisted Guest Mitigation
• Operating System-Specific Mitigations

Additionally, VMware is mitigating these issues in its services.

This Knowledge Base article will be updated as new information becomes available.

Introduction

On January 3, 2018, it became public that CPU data cache timing can be abused by software to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Three variants have been recently discovered by Google Project Zero and other security researchers; these can affect many modern processors, including certain processors by Intel, AMD and ARM:

• Variant 1: bounds check bypass (CVE-2017-5753 and CVE-2018-3693) – a.k.a. Spectre
• Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
• Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown

Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants. General purpose operating systems are adding several mitigations for them. Most operating system mitigations can be applied to unpatched CPUs (and hypervisors) and will significantly reduce the attack surface. However, some operating system mitigations will be more effective when a new speculative-execution control mechanism is provided by updated CPU microcode (and virtualized to VMs by hypervisors). There can be a performance impact when an operating system applies the above mitigations; consult the specific OS vendor for more details.

Hypervisor-Specific Mitigation

Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM. VMware’s hypervisor products are affected by the known examples of variant 1 and variant 2 vulnerabilities and do require the associated mitigations. Known examples of variant 3 do not affect VMware hypervisor products.

Update: On July 10th, 2018 Intel updated security advisory INTEL-OSS-10002 with CVE-2018-3693 a.k.a. Bounds Check Bypass Store. This issue is similar to Spectre variant 1 previously mentioned. At the time of this publication VMware has not found any exploitable instances of this vulnerability in our hypervisors. VMware will remain vigilant in updating our mitigations as new speculative-execution vulnerabilities are uncovered.

VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. For the latest information on any VMware performance impact, see KB 52337.

Hypervisor-Assisted Guest Mitigation

It virtualizes the new speculative-execution control mechanism for guest VMs so that a Guest OS can mitigate leakage between processes within the VM. This mitigation requires that specific microcode updates that provide the mechanism are already applied to a system’s processor(s) either by ESXi or by a firmware/BIOS update from the system vendor. The ESXi patches for this mitigation will include all available microcode updates at the time of release and the appropriate one will be applied automatically if the system firmware has not already done so.
No significant additional overhead is expected by virtualizing the speculative-execution control mechanism in the hypervisor. There can be a performance impact when an operating system applies this mitigation; consult the specific OS vendor for more details.

Operating System-Specific Mitigations

Mitigations for Operating Systems(OSes) are provided by your OS Vendors. In the case of virtual appliances, your virtual appliance vendor will need to integrate these into their appliances and provide an updated appliance.

VMware Software-as-a-Service (SaaS) Status Updates

VMware is in the process of investigating and patching its services. The current status is found in the Resolution section.

Performance impact considerations

For the latest information on how mitigations for the aforementioned issues may affect performance, see KB 52337.

Documentation Timeline

• 01/05/18: KB52264 Published - VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown)
  
• 01/09/18: KB52085 Published - Hypervisor-Assisted Guest Mitigation for branch target injection
• 01/12/18: KB52337 Published - VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)
• 02/15/18: VMware Security Advisory Major Update - VMSA-2018-0007.1
• 03/15/18: VMware Security Advisory Major Update - VMSA-2018-0007.2
• 05/03/18: VMware Security Advisory Major Update - VMSA-2018-0007.3
• 05/31/18: VMware Security Advisory Major Update - VMSA-2018-0007.4
• 07/09/18: Added Information on CVE-2018-3693.

  Hypervisor-Specific Mitigation

Specific versions of VMware vSphere ESXi (5.5, 6.0, 6.5, VMC), VMware Workstation (12.x, 14.x), and VMware Fusion (8.x, 10.x) have already been updated with hypervisor-specific mitigations.

Please note that all provided VMware hypervisor-specific mitigations mentioned in this Knowledge Base article can only address known examples of the variant 1 and variant 2 vulnerabilities; known variant 3 examples do not affect VMware hypervisors. VMware will remain vigilant in updating our mitigations as new speculative-execution vulnerabilities are uncovered and as new CPU vendor microcode becomes available.

Hypervisor-Assisted Guest Mitigation

Hypervisor-Assisted Guest Mitigation patches are now available. Mitigation requirements including patches. Detailed instructions on enabling Hypervisor-Assisted Guest Mitigation can be found in Hypervisor-Assisted Guest Mitigation for branch target injection (52085).

On 01/12/18 VMware removed ESXi patches which were originally released on 01/09/18 with VMSA-2018-0004. For historical information on this event.

Operating System-Specific Mitigations

VMware Virtual Appliances

General information on VMware virtual appliances including a list of affected and unaffected appliances can be found here: https://kb.vmware.com/s/article/52264.

Photon OS
Photon OS has begun releasing fixes which are documented in Photon OS Security Advisories.
PHSA-2018-1.0-0097
PHSA-2018-2.0-0010
PHSA-2018-1.0-0098
PHSA-2018-2.0-0011

VMware products that are installed and run on Windows
VMware products that run on Windows might be affected if Windows has not been patched with appropriate updates. VMware recommends that customers contact Microsoft for resolution.

VMware products that are installed and run on Linux (excluding virtual appliances), Mac OS, iOS or Android
VMware products that run on Linux (excluding virtual appliances), Mac OS, iOS, or Android might be affected if the operating system has not been patched with appropriate updates. VMware recommends that customers contact their operating system vendor for resolution.

VMware Software-as-a-Service (SaaS) Status Updates

VMware Cloud on AWS
https://docs.vmware.com/en/VMware-Cloud-on-AWS/0/rn/vmc-on-aws-relnotes.html